zulip/tools/semgrep.yml

# See https://semgrep.dev/docs/writing-rules/rule-syntax/ for documentation on YAML rule syntax

rules:
  ####################### PYTHON RULES #######################
  - id: deprecated-render-usage
    pattern: django.shortcuts.render_to_response(...)
    message: "Use render() (from django.shortcuts) instead of render_to_response()"
    languages: [python]
    severity: ERROR

  - id: dont-use-stream-objects-filter
    pattern: Stream.objects.filter(...)
    message: "Please use access_stream_by_*() to fetch Stream objects"
    languages: [python]
    severity: ERROR
    paths:
      include:
        - zerver/views/

  - id: dont-import-models-in-migrations
    patterns:
      - pattern-not: from zerver.lib.redis_utils import get_redis_client
      - pattern-not: from zerver.models import filter_pattern_validator
      - pattern-not: from zerver.models import filter_format_validator
      - pattern-not: from zerver.models import generate_email_token_for_stream
      - pattern-either:
          - pattern: from zerver import $X
          - pattern: from analytics import $X
          - pattern: from confirmation import $X
    message: "Don't import models or other code in migrations; see https://zulip.readthedocs.io/en/latest/subsystems/schema-migrations.html"
    languages: [python]
    severity: ERROR
    paths:
      include:
        - "**/migrations"
      exclude:
        - zerver/migrations/0032_verify_all_medium_avatar_images.py
        - zerver/migrations/0104_fix_unreads.py
        - zerver/migrations/0206_stream_rendered_description.py
        - zerver/migrations/0209_user_profile_no_empty_password.py
        - zerver/migrations/0260_missed_message_addresses_from_redis_to_db.py
        - zerver/migrations/0387_reupload_realmemoji_again.py
        - pgroonga/migrations/0002_html_escape_subject.py

  - id: sql-format
    languages: [python]
    pattern-either:
      - pattern: ... .execute("...".format(...))
      - pattern: ... .execute(f"...")
      - pattern: psycopg2.sql.SQL(... .format(...))
      - pattern: psycopg2.sql.SQL(f"...")
      - pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...)
      - pattern: django.db.migrations.RunSQL(..., f"...", ...)
      - pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...)
      - pattern: django.db.migrations.RunSQL(..., [..., f"...", ...], ...)
    severity: ERROR
    message: "Do not write a SQL injection vulnerability please"

  - id: translated-format
    languages: [python]
    pattern-either:
      - pattern: django.utils.translation.gettext(... .format(...))
      - pattern: django.utils.translation.gettext(f"...")
      - pattern: django.utils.translation.gettext_lazy(... .format(...))
      - pattern: django.utils.translation.gettext_lazy(f"...")
    severity: ERROR
    message: "Format strings after translation, not before"

  - id: translated-format-lazy
    languages: [python]
    pattern: django.utils.translation.gettext_lazy(...).format(...)
    severity: ERROR
    message: "Immediately formatting a lazily translated string destroys its laziness"

  - id: mutable-default-type
    languages: [python]
    pattern-either:
      - pattern: |
          def $F(..., $A: typing.List[...] = zerver.lib.request.REQ(..., default=[...], ...), ...) -> ...:
              ...
      - pattern: |
          def $F(..., $A: typing.Optional[typing.List[...]] = zerver.lib.request.REQ(..., default=[...], ...), ...) -> ...:
              ...
      - pattern: |
          def $F(..., $A: typing.Dict[...] = zerver.lib.request.REQ(..., default={}, ...), ...) -> ...:
              ...
      - pattern: |
          def $F(..., $A: typing.Optional[typing.Dict[...]] = zerver.lib.request.REQ(..., default={}, ...), ...) -> ...:
              ...
    severity: ERROR
    message: "Guard mutable default with read-only type (Sequence, Mapping, AbstractSet)"

  - id: percent-formatting
    languages: [python]
    pattern-either:
      - pattern: '"..." % ...'
      - pattern: django.utils.translation.gettext(...) % ...
      - pattern: django.utils.translation.gettext_lazy(...) % ...
    severity: ERROR
    message: "Prefer f-strings or .format for string formatting"

  - id: change-user-is-active
    languages: [python]
    patterns:
      - pattern-either:
          - pattern: |
              $X.is_active = ...
          - pattern: |
              setattr($X, 'is_active', ...)
      - pattern-not-inside: |
          def change_user_is_active(...):
            ...
    message: "Use change_user_is_active to mutate user_profile.is_active"
    severity: ERROR
    paths:
      exclude:
        - zerver/migrations/0373_fix_deleteduser_dummies.py

  - id: confirmation-object-get
    languages: [python]
    patterns:
      - pattern-either:
          - pattern: Confirmation.objects.get(...)
          - pattern: Confirmation.objects.filter(..., confirmation_key=..., ...)
      - pattern-not-inside: |
          def get_object_from_key(...):
            ...
    paths:
      exclude:
        - zerver/tests/
    message: "Do not fetch a Confirmation object directly, use get_object_from_key instead"
    severity: ERROR
semgrep: Update rule syntax documentation URL. 2020-12-03 16:54:36 +01:00			`# See https://semgrep.dev/docs/writing-rules/rule-syntax/ for documentation on YAML rule syntax`
sgrep: Install syntactic code search tool as an external linter. Add sgrep (sgrep.dev) to tooling and include simple rule as proof of concept. Included rule detects use of old django render function. Also added a rule that looks for if-else statements where both code paths are identical. 2020-03-19 00:32:26 +01:00
			`rules:`
lint: Reformat YAML files with Prettier. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-07-01 21:19:49 +02:00			`####################### PYTHON RULES #######################`
sgrep: Install syntactic code search tool as an external linter. Add sgrep (sgrep.dev) to tooling and include simple rule as proof of concept. Included rule detects use of old django render function. Also added a rule that looks for if-else statements where both code paths are identical. 2020-03-19 00:32:26 +01:00			`- id: deprecated-render-usage`
			`pattern: django.shortcuts.render_to_response(...)`
semgrep: Reformat and correct doc link. 2020-04-27 13:46:53 +02:00			`message: "Use render() (from django.shortcuts) instead of render_to_response()"`
sgrep: Install syntactic code search tool as an external linter. Add sgrep (sgrep.dev) to tooling and include simple rule as proof of concept. Included rule detects use of old django render function. Also added a rule that looks for if-else statements where both code paths are identical. 2020-03-19 00:32:26 +01:00			`languages: [python]`
			`severity: ERROR`
semgrep: Reformat and correct doc link. 2020-04-27 13:46:53 +02:00
semgrep: Add rule to enforce no use of stream.objects.filter. 2020-04-29 13:50:36 +02:00			`- id: dont-use-stream-objects-filter`
			`pattern: Stream.objects.filter(...)`
			`message: "Please use access_stream_by_*() to fetch Stream objects"`
			`languages: [python]`
			`severity: ERROR`
			`paths:`
install-semgrep: Upgrade semgrep to 0.9.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-05 10:10:37 +02:00			`include:`
			`- zerver/views/`
semgrep: Move migrations import check lint rule to semgrep. We change how a few imports in migrations are done to be easier to lint and more consitsent with our typical import style. 2020-05-01 08:56:20 +02:00
			`- id: dont-import-models-in-migrations`
			`patterns:`
			`- pattern-not: from zerver.lib.redis_utils import get_redis_client`
			`- pattern-not: from zerver.models import filter_pattern_validator`
			`- pattern-not: from zerver.models import filter_format_validator`
			`- pattern-not: from zerver.models import generate_email_token_for_stream`
			`- pattern-either:`
			`- pattern: from zerver import $X`
			`- pattern: from analytics import $X`
			`- pattern: from confirmation import $X`
semgrep: Use documentation link instead of file path. 2021-06-17 15:02:52 +02:00			`message: "Don't import models or other code in migrations; see https://zulip.readthedocs.io/en/latest/subsystems/schema-migrations.html"`
semgrep: Move migrations import check lint rule to semgrep. We change how a few imports in migrations are done to be easier to lint and more consitsent with our typical import style. 2020-05-01 08:56:20 +02:00			`languages: [python]`
			`severity: ERROR`
			`paths:`
install-semgrep: Upgrade semgrep to 0.9.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-05 10:10:37 +02:00			`include:`
			`- "**/migrations"`
			`exclude:`
			`- zerver/migrations/0032_verify_all_medium_avatar_images.py`
			`- zerver/migrations/0104_fix_unreads.py`
			`- zerver/migrations/0206_stream_rendered_description.py`
			`- zerver/migrations/0209_user_profile_no_empty_password.py`
			`- zerver/migrations/0260_missed_message_addresses_from_redis_to_db.py`
migrations: Repeat part of migration 0376. The blockquote explains the motivation for this change in detail. Fixes #21608. 2022-04-01 02:25:27 +02:00			`- zerver/migrations/0387_reupload_realmemoji_again.py`
install-semgrep: Upgrade semgrep to 0.9.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-05 10:10:37 +02:00			`- pgroonga/migrations/0002_html_escape_subject.py`
logging: Pass format arguments to logging. https://docs.python.org/3/howto/logging.html#optimization Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-05-02 08:44:14 +02:00
semgrep: Lint against common SQL injection patterns. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-05-04 01:56:44 +02:00			`- id: sql-format`
			`languages: [python]`
			`pattern-either:`
			`- pattern: ... .execute("...".format(...))`
lint: Remove other rules about percent formatting. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:39:16 +02:00			`- pattern: ... .execute(f"...")`
semgrep: Lint against common SQL injection patterns. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-05-04 01:56:44 +02:00			`- pattern: psycopg2.sql.SQL(... .format(...))`
lint: Remove other rules about percent formatting. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:39:16 +02:00			`- pattern: psycopg2.sql.SQL(f"...")`
migrations: Escape more pedantically in pgroonga.0001_enable. The psycopg2.SQL API unfortunately doesn’t work with django.db.migrations.RunSQL, so we need to take a detour into PL/pgSQL for EXECUTE and format. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-14 03:48:07 +02:00			`- pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...)`
lint: Remove other rules about percent formatting. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:39:16 +02:00			`- pattern: django.db.migrations.RunSQL(..., f"...", ...)`
migrations: Escape more pedantically in pgroonga.0003_v2_api_upgrade. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-14 04:05:38 +02:00			`- pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...)`
lint: Remove other rules about percent formatting. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:39:16 +02:00			`- pattern: django.db.migrations.RunSQL(..., [..., f"...", ...], ...)`
semgrep: Lint against common SQL injection patterns. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-05-04 01:56:44 +02:00			`severity: ERROR`
			`message: "Do not write a SQL injection vulnerability please"`
python: Guard against default value mutation with read-only types. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-13 05:24:42 +02:00
python: Convert percent formatting to .format for translated strings. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:22:24 +02:00			`- id: translated-format`
			`languages: [python]`
			`pattern-either:`
python: Convert deprecated Django ugettext alias to gettext. django.utils.translation.ugettext is a deprecated alias of django.utils.translation.gettext as of Django 3.0, and will be removed in Django 4.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-04-16 00:57:30 +02:00			`- pattern: django.utils.translation.gettext(... .format(...))`
			`- pattern: django.utils.translation.gettext(f"...")`
			`- pattern: django.utils.translation.gettext_lazy(... .format(...))`
			`- pattern: django.utils.translation.gettext_lazy(f"...")`
python: Convert percent formatting to .format for translated strings. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:22:24 +02:00			`severity: ERROR`
			`message: "Format strings after translation, not before"`

semgrep: Treat ugettext_lazy like ugettext. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-17 02:53:53 +02:00			`- id: translated-format-lazy`
			`languages: [python]`
python: Convert deprecated Django ugettext alias to gettext. django.utils.translation.ugettext is a deprecated alias of django.utils.translation.gettext as of Django 3.0, and will be removed in Django 4.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-04-16 00:57:30 +02:00			`pattern: django.utils.translation.gettext_lazy(...).format(...)`
semgrep: Treat ugettext_lazy like ugettext. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-10-17 02:53:53 +02:00			`severity: ERROR`
			`message: "Immediately formatting a lazily translated string destroys its laziness"`

python: Guard against default value mutation with read-only types. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-13 05:24:42 +02:00			`- id: mutable-default-type`
			`languages: [python]`
			`pattern-either:`
			`- pattern: \|`
			`def $F(..., $A: typing.List[...] = zerver.lib.request.REQ(..., default=[...], ...), ...) -> ...:`
			`...`
			`- pattern: \|`
			`def $F(..., $A: typing.Optional[typing.List[...]] = zerver.lib.request.REQ(..., default=[...], ...), ...) -> ...:`
			`...`
			`- pattern: \|`
			`def $F(..., $A: typing.Dict[...] = zerver.lib.request.REQ(..., default={}, ...), ...) -> ...:`
			`...`
			`- pattern: \|`
			`def $F(..., $A: typing.Optional[typing.Dict[...]] = zerver.lib.request.REQ(..., default={}, ...), ...) -> ...:`
			`...`
			`severity: ERROR`
			`message: "Guard mutable default with read-only type (Sequence, Mapping, AbstractSet)"`
lint: Prohibit percent formatting on literal format strings. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-14 07:01:21 +02:00
			`- id: percent-formatting`
			`languages: [python]`
			`pattern-either:`
			`- pattern: '"..." % ...'`
python: Convert deprecated Django ugettext alias to gettext. django.utils.translation.ugettext is a deprecated alias of django.utils.translation.gettext as of Django 3.0, and will be removed in Django 4.0. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-04-16 00:57:30 +02:00			`- pattern: django.utils.translation.gettext(...) % ...`
			`- pattern: django.utils.translation.gettext_lazy(...) % ...`
lint: Prohibit percent formatting on literal format strings. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-14 07:01:21 +02:00			`severity: ERROR`
			`message: "Prefer f-strings or .format for string formatting"`
semgrep: Ban eval. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-26 02:35:16 +02:00
migrations: Subscription.is_user_active denormalization - step one. This adds the is_user_active with the appropriate code for setting the value correctly in the future. In the following commit a migration to backfill the value for existing Subscriptions will be added. To ensure correct user_profile.is_active handling also in tests, we replace all direct .is_active mutation with calls to appropriate functions. 2021-02-14 00:03:40 +01:00			`- id: change-user-is-active`
			`languages: [python]`
			`patterns:`
			`- pattern-either:`
			`- pattern: \|`
			`$X.is_active = ...`
			`- pattern: \|`
			`setattr($X, 'is_active', ...)`
			`- pattern-not-inside: \|`
			`def change_user_is_active(...):`
			`...`
			`message: "Use change_user_is_active to mutate user_profile.is_active"`
			`severity: ERROR`
do_delete_user: Add migration to fix bugged UserProfiles. do_delete_users had two bugs: 1. Creating the replacement dummy users with active=True 2. Creating the replacement dummy users with email domain set to realm.uri, which may not be a valid email domain. Prior commits fixed the bugs, and this migration fixes the pre-existing objects. 2021-10-06 17:13:57 +02:00			`paths:`
			`exclude:`
			`- zerver/migrations/0373_fix_deleteduser_dummies.py`
semgrep: Enforce use of get_object_from_key for Confirmation fetching. get_object_from_key should be used when trying to fetch a Confirmation object. There are some places that need to make Confirmation.objects.filter(...) queries, so we can't completely ban the pattern, but we can ban .get(...) and .filter(..., confirmation_key=..., ...). 2021-12-02 20:31:42 +01:00
			`- id: confirmation-object-get`
			`languages: [python]`
			`patterns:`
			`- pattern-either:`
			`- pattern: Confirmation.objects.get(...)`
			`- pattern: Confirmation.objects.filter(..., confirmation_key=..., ...)`
			`- pattern-not-inside: \|`
			`def get_object_from_key(...):`
			`...`
			`paths:`
			`exclude:`
			`- zerver/tests/`
			`message: "Do not fetch a Confirmation object directly, use get_object_from_key instead"`
			`severity: ERROR`